Computer communication networks face increasing levels of threats and exploitation all over the world. Conventional network devices such as network switches used in the computer networks handle various kinds of software code to implement various functionalities on the network. Hackers attempt to take advantage of vulnerabilities in network software code, for example, code that has not been updated and can be exploited. Often times, the manufacturer of such code does not know about the vulnerabilities, or if known, is unable to fix such vulnerabilities in time.
One conventional technique for securing networks is to use software diversification by randomizing address space layout. Such address space layout randomization has to be supported by the operating system (OS) of the network device, as well as by the software code itself. Typically, not all software code and not all OSs can support such address space layout randomization. Even when supported, address space layout randomization moves a whole block of instruction from a first memory space to a different second memory space in a random manner. However, if a hacker can obtain a starting address of the second memory space, then the whole address space layout is available to the hacker resulting in compromised security of the network.
Another conventional technique to provide security to networks is to use software diversification by moving sub-blocks of code to be executed on a network device to different or unique memory spaces. This technique randomizes the internal addresses of the code in the memory, but adds computational overhead to the software being executed. As a result, network latency is significantly increased.
Yet another conventional technique is to provide fine grained randomization of commodity software using address space layout permutation as outlined in the paper “Address Space Layout Permutation (ASLP): Towards Fine-Grained Randomization of Commodity Software,” by Kil et al., Proceedings of the 22nd Annual Computer Security Applications Conference, ACSAC '06, pp. 339-348, Dec. 11-15, 2006. The ASLP technique laid out in this paper takes a final binary file of commodity software and passes that file through a software tool to create different instances of the binary file. However, such a process in which a final binary file after an original creation thereof is tampered with is considered invasive from a commercial software industry point of view. This is so since companies are hesitant to alter the final binary file of their software prior to distribution to customers as such alteration may result in instability and/or lost functionality of tested commercial software.
Various aspects of this application are directed towards addressing these and other drawbacks and challenges of conventional network security systems and methods.